Hadopi? Not Even Scared!

The Minister of Culture1 and the Hadopi itself2 have been prompt to announce the launch of the Hadopi's operations: here we are, the Hadopi is ready to send its first mail to Internet users who have been caught in Trident Media Gard's nets, the private society empowered by rights holders representatives3 to monitor file sharing on peer-to-peer networks. However, analysis of enacted laws and decrees calls for more caution on this potential threat. The Hadopi might be unable to impose penalties, but it could be that the Hadopi should not even be authorized to send any warning without prior judicial ruling.

Is the Hadopi Really Ready? Not Yet

First, it should be noted that decrees that have been published show how the Hadopi is focused on its repressive mission. No decree has indeed be taken with regard to Hadopi's mission of supporting and developping legal offers. Tough, Article L331-23 of Intellectual Property Code (IPC), established by Hadopi 1 Law, makes the provisions that some decrees should establish a list of indicators on legal offers, and conditions allowing to grant a label to online services proposing such legal offers. The lack of publication of decrees needed to accomplish this mission shows that, at best, it is not a priority for the Hadopi.

On a legal point of view, the Hadopi's repressive action could be delayed by an appeal before the Council of State – the French highest administrative jurisdiction – against decree n° 2010-236 of March 5th 2010, about the Hadopi's processing system. This automated processing should allow the Hadopi4 to communicate on one hand with rights holders representatives, and on the other hand with Internet Service providers (ISPs). Yet, the government has missed out to consult the Regulating Authority of Electronic and Postal Communications (ARCEP) – a consultation which is a legal obligation5. Therefore, would the Council of State accept the appeal filled by the oldest French ISP, French Data Network (FDN), this decree will be declared void and Hadopi's action will be delayed6.

Moreover, while interconnection between Hadopi's and rights holders' computer systems is likely to be implemented, the connection between the authority and ISPs is far from being established. Indeed, the same decree of March 5th 2010 provides for7 the means to implement this interconnection are to be defined either by a covenant with ISPs, or in the absence of such an agreement, by a ministerial decree. Neither such a covenant, nor such a ministerial decree has been signed yet.

In addition, the issue of bearing the costs of identification of Internet subscribers is not settled yet. The minister, Frédéric Mitterrand declared in January during Hadopi's installation: “All ISPs must accept to pay. We are explaining them that they have to. Some have admitted it, not all.” For their part, ISPs consider that8 constitutional case law9 requires the State to bear the costs related to a public service mission, unrelated to the operators' activities.

However, the couple of hurdles mentioned so far are not insurmountable. They do not challenge Hadopi's repressive action, they just further delay the launch of the Hadopi's operations. Things are very different for decisions on the factual nature of offenses.

Non Automatic Penalties Need Evidence of Offense

In Hadopi's mission of “protecting works and objects to which copyright or related rights are attached”, a decree is also pending: the decree specifying “the procedure for evaluating and labeling security means”»10. These famous “security softwares“ were introduced through the Hadopi 1 Law. They are almost the only way for an Internet user to be exonerated from Hadopi's accusations, proving with their installation that the Internet user respected her obligation to secure her Internet access.

However, since the Constitutional Council has censored Hadopi 1 Law, in part because it disrespected the presumption of innocence, all that remains from Hadopi 1 and Hadopi 2 laws is the obligation for Internet users to secure their Internet access and for Hadopi to give a label security softwares that comply specifications it has published. But, according to General Secretary of Hadopy11, there would be no more connection between both obligations: the mere existence of labelled security softwares would not question sending of warnings, recommending however precisely to use some security means.

The legal validity of this argument has of course not been tested yet, since no mail has been sent as of today. Some Internet users, after having received a warning, could potentially try to challenge these recommendations as long as Hadopi hasn't discharge its duty of labelling. However, what is revealed here is independent of such legal validity. Indeed, it is now unquestionable, including from Hadopi's point of view, that it will be up to the prosecution to prove the offense of a lack of securisation of the Internet access, which is penalized by a class five offense for gross negligence. In other words, it will be up to the prosecutor to bring evidences that the Internet user who has been caught in Trident Media Guard's nets had not implemented any security means.

The publication of the decree defining gross negligence has also allowed jurists to confirm the prosecution's burden to prove the lack of effective security on the Internet access. This is due to the fact that the decree made the failure to secure the access a "constitutive element" of the offense and not an exception.

From there on, it does not matter that leaks about the labelling process revealed that the security means Hadopi was working on are real “filtering snitches”. They would, on the one hand, prevent file sharing software from running, block specific protocols or connections to websites known to offer unauthorised downloads. On the other hand, any deactivation of the “snitch” would be noted in a sealed log, that only a trusted third party can render readable. It is of little consequence, and even desirable to not run such software, since it does not automatically exonerate the user – due to presumption of innocence – but could instead even provide pieces of evidence to the prosecution.

The only evidence that Hadopi could provide to the prosecutor would be the own confession of the user, or timestamped IP addresses collected by TMG. However the latter is a very tenuous evidence, consistently rejected by courts12. An IP address can indeed be anonymized, and is easy to falsify, etc. Therefore, in order to prove the gross negligence of an Internet user, a prosecutor would have to order an investigation or an enquiry, which seems incompatible with the will to automatically punish a mass practice.

As a consequence, unless citizens ignore their right to remain silent, it seems implausible that Hadopi could ever get anyone condemned. It is therefore not much more than a “fear engine”, a conclusion that even the strongest proponents do not deny13.

This conclusion is reinforced by a memo that the Ministry of Justice circulated at the end of August to the prosecutors14. This memo gives them orders to: “in the dual objectives of ensuring swift criminal response and keeping the new system from flooding police services, a second investigation by those services should be avoided, except for special cases, when the elements provided by HADOPI are sufficient to establish the minor offense of gross negligence against the Internet connection owner, and to guarantee the adversarial nature of the proceedings.” Since the reliability of the IP address collected by TMG cannot be challenged, we cannot see how, without further investigation, they would hold as evidence to prove Internet users' guilt, barring confessions by themselves or by the “snitch” software they could have the silliness of installing.

Threatened Threat-Sending

But the wording of the last decree, published July 26th, 201015 relative to the procedure followed by the CPC to collect the referrals of rights holders representatives, to warn Internet users and eventually to forward the cases to the prosecution, reveals that even the role of pure intimidation is questionable. Indeed, to send a warning, by e-mail and then by registered letter, Hadopi must request the personal data of Internet users collected by TMG from the ISPs. Yet, article R331-37 IPC, established by this decree, states that “Operators of electronic communication communications […] are required to pass on personal data and information referred to paragraph 2 of the annex of decree n° 2010-236 of March 5th, 2010 within eight days after the transmission by the Committee for the Protection of Copyright of technical data needed to identify the subscriber whose access to public online communication services has been used for reproducing, showing, making available or communicating to the public works or property protected by copyright or a related right without the authorization of the copyright holders[…]”16.

In that respect, the decree is compliant with article L331-21 IPC provided from Hadopi 1 Law, which wordings from its fifth paragraph17 is almost duplicated. But it should be noted that everywhere else, in Hadopi 1 and Hadopi 2 Laws18, in decrees of application19 or in others paragraphs of this same decree of July 26th, 201020, when such a potential offense is mentioned, it is always qualified to be “likely“. Implicitly, this offense becomes blatant only after being established by a court ruling.

Criminal law being of strict interpretation, article R331-7 IPC can only be read as forcing ISPs to provide identification data of a subscriber to Hadopi once it is established that a copyright infringement occurred and that a particular person's Internet access is involved. But Hadopi is not able to judge that either of those conditions has in fact been met. Article L331-21-1 IPC, setup by Hadopi 2 Law specifies: “The members of the Committee for Protection of Copyright, together with its agents dully authorised and sworn before the judicial authority referred to in Article L. 331-21, may ascertain the commission of facts likely to constitute offenses provided for herein when they are punishable by the supplementary penalty of suspension of access to a public online communication service as referred to in articles L.335-7 and L.335-7-1”. But in no case does the Hadopi have the power to judge of the factual nature of a copyright infringement, nor that it has been operated through a specific person's Internet access. Should the Hadopi do so, there would be good reason to denounce the presumption of guilt that so doing demonstrates.

The ruse, used since the beginning of the Hadopi laws and which consists in punishing not the act of copyright infringement itself but the default of securing the Internet access used to do so, will fail. Indeed, in any case, the copyright infringement has to be proven and established. And so it must be proven and established that the Internet access of a specific person has been used to commit said act. Otherwise, one cannot be blamed for failing the duty of securing one's Internet access. The absence of security is a consequence of ascertaining that a copyright infringement has been committed through this Internet access21. And only a judge may establish these facts, based upon the evidences provided by the prosecution or right holders representatives during a civil procedure. However the latter do not want to have recourse to such procedures, criminal or civil, except for cases involving a significant volume of shared files. The difficulty to compile evidences and the length of the procedures will reserve them for the gravest cases, the rest of the “common” files sharing is left to the innocuous dissuasion procedure of Hadopi, which is more able to process, through fear, a massive practice. But Hadopi being under the condition, as demonstrated, of a judgment of copyright infringement and its link with an Internet acces, the snake bites its tail!

The Constitutional Council has authorized the automated processing that links an Internet user's identification to a copyright infringement only under the condition that Hadopi would be involved prior to a legal action22. The offense of gross negligence for not securing one's Internet access can only be pronounced following the repetition of the commission of an act for which Hadopi has already sent a recommendation23.
Consequently, the simple fact for Hadopi to send a warning affects the subscriber adversely, and is an integral part of a legal action. Which would contradict the decision of the Constitutional Council, if a judicial ruling has not previously authorized to send this warning.

From the dream of a punishing machine, through the idea of a scaring machine, Hadopi is in the end only a machining machine! Without any consequence on culture, the creation thereof, nor its dissemination on the Internet. Not even scared!

1. During Council of Ministers of July 28th 2010, the minister of Culture and Communication has claimed that: “The Hadopi is now ready to start its action. As an independent public authority, it will fix the suitable time to send by mail the first warnings to offenders, based on referrals transmitted by rights owners.” – throughout this paper, translation of French quotes and French law and decrees is made by the author.

2. “The Hadopi is ready to kick off its action with regard to three-strikes measures”, has said Marie-Françoise Marais, president of the Hadopi, during a press conference on Monday June 28th 2010.

4. More precisely, this role falls to the Committee for the Protection of Copyright (CPC). However, since press relations launched by the Hadopi itself are mixing up both entities, and since this article is an answer to this communication, it will refers without distinction to Hadopi or to CRP.

5. Article L36-5 of Postal and Electronic Communications Code lays down that “Regulating Authority of Electronic and Postal Communications is consulted on law, decree or regulation bills about the field of electronic communications and contributes to their implementations”.

6. Moreover, FDN has filled another appeal in August, attacking this time decree n° 2010-872 of July 26th 2010, about procedure behind the CRP, on the grounds that this latest decree is strongly refering to decree of March 5th, and would have no legality should the first one be declared void. Since the Hadopi is urging its communication that first warnings are about to be sent, this last appeal has been requested for summary suspension.

7.Article 8: “2° On the other hand, processing implemented by operators of electronic communications and service providers referred in Annex 2 of the present decree in order to fetch data and information referred in the same paragraph. This interconnection is implemented by means that are defined according to a covenant closed with targeted operators and service providers, or, in the absence of such a covenant, according to a ministerial decree taken jointly by minister in charge of culture and minister in charge of electronic communications“.

8. Thus, the French Federation of Telecoms, gathering 98% of fixed and mobile operators, has restated its position to online magazine silicon.fr: “The Federation contests the possibility that operators bear the costs for the implementation of the whole 3-strikes plan. […] the State should not impose financial costs on the operators for a mission of general interests unrelated to the activity of these same operators. […] Responsible people for identifying IP addresses have not even been recruited. Pending the update of all operators' information systems operators, which could take at least one year, the identification of IP addresses will be done by hand”.

9.Decision n° 2000-441 DC of the Constitutional Council on December 28th 2000 about supplementary budget for 2000: « 41. If it is open to Parliament, in accordance with the constitutionally guaranteed freedoms, to require telecommunications operators to implement and operate the technical operations allowing interceptions justified by the needs of public safety, the contribution thus made to safeguard public order, in the interest of the population is unrelated to the operation of telecommunications networks; and the resulting expenditures cannot therefore, by their nature, directly falls to the operators”.

10. This decree is imposed by Article L331-32 IPC: “After having consulted designers of security means aimed to prevent unlawful usage of access to a public online communication service, entities whose activity is to provide such services, along with companies governed by Title II of this book and duly constituted agencies defending professionals, the High Authority shall make public the relevant functional specifications that these means should include.“After a certified review taking into account their compliance with specifications under the first paragraph and their efficiency, the High Authority shall establish a list labelling security means. This labelling is periodically reviewed.“A decree before the Council of State specifies the procedure for evaluation and labelling of these security means.”

12. An article in the French newspaper Le Monde entitled: “Identity theft, downloading: the reliability of IP addresses is questionable”. The minister of culture, in a response to a written question by a member of parliament admitted: “The law does not ignore the fact that good-faith Internet users' vigilance could be trumped by third parties highjacking their IP address”.

13. At the end of July 2010, a media campaign started insisting on the “fear of authority” that Hadopi would inspire.

14. This memo also confirms the pipe-dream of massive quasi-automatic penalties. By reaffirming, on the one hand, the predominance of prosecutions based on gross negligence over those based on copyright infringement: “It is precised that agents of HADOPI may ascertain criminal offenses provided for in section III of IPC [N/A: copyright infringements], subject to the condition that they are punishable by the supplementary penalty of suspension to an access to a public online communication service as provided for in articles L.335-7 and L.335-7-1 of the same code (new article L.331-21-1 of the IPC). Theses powers remain nonetheless residual. […] So as to ensure adequacy between the offending behavior and the criminal response, this path of minor offense should be favoured, of course once all the constitutive elements of the offense are qualified, for first-offenders and for limited-scale downloads. Conversely, the offense of infringing copyright should be sought after and prosecuted in case of repeat offense, or of massive and usual downloads from the Internet, in violation of the protections of copyright and related rights”. On the other hand, by insisting on the predilection for summary procedures of criminal orders – which assume nonetheless that it is simple to establish the substance of the facts: “Moreover, the procedure of criminal order should be favoured when prosecuting for the minor offense of Internet access owner's gross negligence.”

15.Decree n° 2010-872 of July 26th, 2010 relating to the procedure before the Committee for the Protection of Copyright of the High Authority for the Diffusion of Works and the Protection of Copyright on the Internet.

17. “[Members of the Committee of Protection of Copyright and its agents referred to in first paragraph] may in particular get from operators of electronic communications the identity, postal address, electronic address and telephone numbers of the subscriber whose access to public online communication services has been used for reproducing, showing, making available or communicating to the public works or property protected by copyright or a related right without the authorization of the copyright holders provided for in Books I and II when such authorization is required.”

18.Article L331-25: “[…] When called upon about facts likely to constitute a breach of duty defined in Article L. 336-3, the Committee for the Protection of Copyright may send to the subscriber, under its seal and for its own account, by electronic means and through the entity whose activity is to provide an access to a public online communication service and who has entered into an agreement with the subscriber, a recommendation reminding him of the provisions of Article L. 336-3, enjoining him to respect the duty they define and warning him of penalties incurred under Articles L. 335-7 and L. 335-7-1.In the event of a repetition, within a period of six month from the sending of the recommendation referred to in the first paragraph, of facts likely to constitute a breach of duty defined in Article L. 336-3, the committee may send a new recommendation including the same informations than the previous one by electronic means in the conditions provided for in the first paragraph.”Article L331-21-1: “The members of the Committee for the Protection of Copyright, together with its agents dully authorised and sworn in before the judicial authority referred to in Article L 331-21, may ascertain the commission of acts likely to constitute offences provided for herein when they are punishable by the supplementary penalty of suspension of access to a public online communication service as referred to in Articles L 335-7 and L 335-7-1.”

19.Annex of decree of March 5th, 2010: “With regards to the commission of facts likely to constitute a breach if duty defined in Article L. 336-3 of the Intellectual Property Code […]”.

20.Article R331-40: “When, within a period of one year following the recommendation mentioned in the first paragraph of Article L. 335-7-1, the Committee for the Protection of Copyright is called upon about a new commission of facts likely to constitute a gross negligence defined in Article R. 335-5, it inform the subscriber, by a registered letter delivered in person and duly signed for, that this commission of facts is likely to be prosecuted.”Article R331-42: “The Committee for Protection of Copyright ascertains through a deliberation taken with a majority of at least two votes that the commission of facts is likely to constitute the offense provided for in Article R. 335-5 or the offenses provided for in Articles L. 335-2, L. 335-3 and L. 335-4.”Article R331-43: “The deliberation of the committee ascertaining that the commission of facts is likely to constitute an offense, to which shall be attached, as circumstances dictate, a formal record summarizing all the facts and proceedings, along with any useful exhibit, is transmitted to the public prosecutor of district court of competent jurisdiction.”Article R331-46: ”[…] If the entity whose activity is to provide an access to an public online communication service fails to implement the notified order to suspend access, the Committee for the Protection of Copyright deliberates, in the conditions for majority defined in Article R. 331-42, in order to inform the public prosecutor about the commission of facts likely to constitute the misdemeanor referred to in the sixth paragraph of Article L. 335-7.”

21.Article L336-3 IPC: “A person who has subscribed to internet access to online public communication services is under a duty to ensure that said access is not used for reproducing, showing, making available or communicating to the public works or property protected by copyright or a related right without the authorization of the copyright holders provided for in Books I and II when such authorization is required.”

22.Decision n° 2009-580 DC of June 10th, 2009 (Hadopi 1): “28. Subsequent to the censure resulting from the foregoing paragraphs 19 and 20, the Committee for the Protection of Copyright cannot impose the penalties provided for by the statute referred for review. Its sole role consists in taking measures preliminary to the institution of legal proceedings.”

23.Article R335-5: “[…] 1° Under Article L. 331-25 and in the manner provided for by this article, the subscriber of an access has been notified by the the Committee for the Protection of Copyright to implement a means of securing the access, thus allowing the subscriber to prevent reuse of the access for reproducing, showing, making available or communicating to the public works or property protected by copyright or a related right without the authorization of the copyright holders provided for in Books I and II when such authorization is required;2° In the year following the presentation of such notice, that access is again used for purposes referred to in 1° of present II.